Cyber Eye: Response to worms is good, but prevention is better
- By William Jackson
- Aug 11, 2005
Last month, Microsoft Corp. doled out the first payment from its antivirus reward program, paying $250,000 to two people who helped identify the author of last year's Sasser worm.
Sven Jaschan was arrested in Germany within a week of the April 29, 2004, release of the worm, which exploited a vulnerability in the Windows operating system. Jaschan, who reportedly also was involved with the creation of the Netsky worm, confessed to writing Sasser. Because he was only 17 years old at the time he wrote the worm, a German court sentenced him last month to 21 months probation.
Nancy Anderson, Microsoft deputy counsel and vice president, called it a 'best-case scenario.'
'This is the first case where we're paying out a reward,' Anderson said. 'I definitely consider it a success. Within days of the Sasser worm being released, someone had come forth with information because of the reward program.'
Anderson said reward offers have been made in three other cases.
Despite the rapid response, Sasser managed to jump to the top spot on the monthly list of most prevalent viruses compiled by Sophos PLC, a British antivirus-software company. Sasser accounted for more than 50 percent of infections reported in May 2004, and an impressive 26 percent of all infections reported to Sophos in the first half of the year.
Arresting and convicting Jaschan is like punching in the nose the guy who sneezes on you in the subway. It gives you a certain amount of satisfaction and teaches him not to do it again, but you still have his cold and will likely pass it along to your family. It's much better to avoid getting infected in the first place.Avoid the sneeze
Law enforcement is necessarily a reactive process, and the Sasser case points out the importance of protecting yourself in advance of malicious code and other threats.
Patching vulnerabilities in IT systems is a never-ending race against exploits, and sometimes it seems like the faster you run, the closer the bad guys get. But a good patch management program still is essential to maintaining security, even if it is not always possible to properly test and install all critical patches before exploits appear.
And although there is an inevitable gap in protection with antivirus and other signature-based tools, it is important to keep those signatures updated. Interestingly, stealthy attacks that could give you more time to patch and update systems seem to be replacing worms like SQL Slammer, which spread at blinding speed.
Before patches and new signatures are released, you can also protect yourself by properly configuring your systems and applications, turning off services that are not needed and blocking files that are not necessary. Intrusion prevention systems can help block malicious traffic, and monitoring outgoing traffic can help you identify and isolate compromised systems when your defenses have been penetrated.
In short, make sure all the common-sense measures you already know how to do get done. Don't open suspicious attachments, and don't sit down next to the sniffling, sneezing guy on the subway'your chances of avoiding a virus will improve greatly.William Jackson is a GCN senior writer. E-mail him at firstname.lastname@example.org.
William Jackson is freelance writer and the author of the CyberEye blog.